Fixing the World One Hack at a Time

JUL 2018 EDIT: So I had everything on dropbox, but my account got suspended, so I moved everything to mediafire. That account also got suspended, so I’ve removed the links to those to avoid problems. Let’s try Google Drive!

Real life has gotten in the way of this project, and I’m sorry I don’t have anything to report on yet. My Xbox has been in my closet for well over 2 years now, and I don’t think I will have the time to see this through. Please share your successes and failures! I’d love to hear about anyone who can get this working.

While I still have not made as much headway as I would have liked to, I am slowly inching towards my original goal.

I have made a decent discovery. As I posted earlier when I try to flash the new firmware onto my hard drive with ST_MEM_SDLD, the flashing usually succeeds, but the but the drive refuses to see that APP code, and I am stuck in Level F. I Recently discovered, however that if I switch back and forth between PuTTY and ST_MEM, it works about 90% of the time. At first, I set the speed, and send the initial preparatory flashing command via PuTTY, then disconnect that terminal and switch to ST_MEM for the actual flashing procedure. (PuTTY doesn’t have the necessary code for the SDLD protocol. If I could find some documentation on this protocol, I would try to put it in myself.)

As it stands, the APP Code flashes successfully most of the time, and I am able to get to Level T, but as yet I still have not been able to get the CERT Code to flash correctly. I’m not sure what I am doing wrong. I keep working, though in hopes that someday soon, it’s secrets will be made know to me. We are making progress!

I have also discovered that by using an Arduino in place of my TTY/R233 adapter, I have gotten a more reliable connection. This has resulted in fewer failed flash attempts. (Prior to using this, sending the APP code would freeze half way through, and I would have to start over about 65% 0f the time)

To set up an Arduino to do this, just put a jumper wire from the Reset Pin to GND. Then your computer will detect the Arduino as a COM port. You can then hook up your hard drive to the Tx and Rx pins on the Arduino.

I think alot of you have been thinking that I have forgotten this project, or have given up. This is definitely not the case. I have not really had much to report lately, but I have had a few mild, yet incomplete successes in restoring my hard drive to working condition.

With the help of Vorian, who commented on my very first post, I have been able to get a firmware that was made for my drive. I also was able to flash the first parts of the app code to the drive, and was also once able to again access the T> prompt of the drive. Unfortunately for me it would seem that st_mem_sdld is quite buggy, and very unpredictable in it’s results. Since this is the case, I am still stuck with a bricked drive. I am in the process of trying to find another/better way of sending the app code, cert code, and cert tables to the drive.

As you can see, the process, when it decides to work, can work. I am still very hopeful for what the future might bring, and look forward to finishing this hack.

When I do finally figure out the best solution, I will create another post with full details of the process. If any of you have any suggestions, I am as always open, and will try my best to respond to every comment I get.

Thanks again to Vorian for all the help he has given me over the past few weeks.

I just wanted to thank you guys for all your help with my little project so far. I also wanted to inform you that all of the utilities I have been using have been uploaded to my personal cloud space. I was put onto st_mem_sdld and other things with your help, so to make it easier for others to find in the future, they will be available from me. I’ve also included hddhackr 1.3, Xplorer 360 250 gig, and the free version of SeDiv.

Over the past couple of months, I have been on a quest. This quest has led me to many different locales, and it is still ongoing. Unfortunately, my quest has hit a roadblock of sorts for the moment, but it has not ended. I will explain more on that in a minute, but for now, I wanted to document the things I have found out thus far.

After hours of searching the net for a solution of using a Seagate hard drive in my Xbox, there was not a whole lot of happy news, however I have pieced together many sources, and have been able to change many of the drive’s parameters manually, effectively mirroring the functions of HDDHACKR. This is the main holdup that Seagate drives face. There is no automated way of doing this like there is with a Western Digital Drive. Just for your information, the information in my post is not for the faint of heart, and you probably will kill your hard drive if you are not very careful. I take no responsibility for what you do to your hard drive. This is in no way a complete tutorial, nor can I guarantee that this will work for you. My hope is that someone will benefit from the information that I have pieced together. Even though I have not completed this project, I believe I have found enough information that someone somewhere will have better luck than I have.

It is about 2:00 in the morning as I finish typing this, and I am on my way to bed. This is a work in progress, so pictures will come at a later date. For now, I am happy with what has been written, and it will suffice for now.

Required Materials

-Hex Editor (I use HxD. It’s free, and it works quite nicely. wxHexEditor works nicely for our *Nix friends as well. You need one that is able to open a physical disc.)

-RS232 to TTL Adapter (Max32 or similar. You can even use an Arduino if you don’t have anything else)

-Jumper wires for adapter-Official Xbox 360 HDDSS.bin FROM a Seagate drive (more on this in a minute, but luckily I have found this for you, and will upload it for you.) http://minus.com/lw50E2TwPtkJz

-External SATA enclosure (Makes it easier to control the power to your hard drive, without having to take apart your computer.)

-A SATA Controller that is compatible with HDDHACKR(We will not be flashing the firmware with this, but we will still be creating the partitions. You can do this manually also, but I will not detail that here)

-Plenty of time to experiment, and learn how to navigate the Seagate TMOS. I will tell you the commands I used to get as far as I did, but some of these commands vary from drive to drive. Even the same model numbers with different firmware revisions will have different command sets. BE VERY CAREFUL PLAYING WITH THESE SETTINGS. Take the time to learn what the commands do for yourself. The biggest mistake I made was trying a command that wasn’t made for my drive, and I have effectively bricked it for the moment.

-An Understanding of Hex. We will be dealing with hex addresses, and hex offsets. It will be much easier to follow if you understand Hex.

-Patience. You will mess something up somewhere along the way. I can almost guarantee it. If you are not a patient person, you will just get frustrated then definitely screw something up. If you are feeling a bit frustrated, do yourself and your hard drive a favor, and take a break. It won’t do you any good to work on it while you are upset, and you’ll likely mess something else up in the process.-SeDiv (Not a requirement, but highly recommended. You can use Putty or Hyper-Terminal if you wish, but SeDiv is designed for the work that we are doing. If you do decide to download SeDiv, you will need Windows XP SP2. It does not work on Windows Vista or 7. You will also need to set your system clock back to 2007 or 2008.)

A Little Background Information

My first spark of inspiration was this site: http://tinyurl.com/6y75pxj. In this thread is a detailed list of how to manually place the security sectors of an official Xbox drive onto a different hard drive. The poster states that he has used this method to use a Seagate drive in his Xbox; however the tutorial itself was performed on a Western Digital drive. After numerous failed attempts at contacting the author of this thread and a few others, I did a bit more digging.

In short, what I learned was that when HDDHACKR modifies a hard drives firmware it changes 4 main things in the Hard Drive’s Firmware. These changes are taken from a valid hddss.bin that has been dumped from an official Xbox Hard Drive.

It changes the Model Number

It changes the Serial Number

It changes the LBA

It changes the Firmware Revision

After changing these things, it will then copy the information in the hddss.bin file to sectors 16-22 of the hard drive itself.

The previous link details the security sector of an official drive, and how it is structured. Basically the Xbox compares the information in these sectors (or the hddss.bin) to the physical drive’s information. If even one of the things in this list is not correct, the Xbox will refuse to see the hard drive as available local storage.

So, our goal is to change all of this information on the drive ourselves. This proves somewhat difficult however because there is not very much documentation on how this is done. There is a lot of guess work, and crying. In the end, our goal will be to change the previous 4 items to the following.

Model number will be ST9250315AS (Will be entered in Hex)

Serial Number will be 5VCF5J11

LBA will be will be 70 59 1C 1D (Hex value)

Firmware Revision will be 0002CE02 (Will be entered in Hex)

Another problem that exists is that a Seagate hard drive only allows 8 character serial numbers, and most of the available hddss.bin files freely available on the net are dumped from Hitachi drives. These drives have serial numbers that are up to 15 characters. Since this is the case, there is no way to successfully spoof the drive into looking like a Hitachi. The only real solution is to use an hddss.bin file that has been dumped from an official Seagate drive.

Oh yeah, for your information, all of my findings were done on a SeagateST9250827AS Rev. 3.AAA

Connecting with SeDiv or Putty
To test your connection, open Putty or SeDiv, and open the connection with 9600 for your baud rate, 8 data bits, no parity, 1 stop bit, and no flow control. Plug the power into the hard drive, but not the data cable. If it works you will see some text come up in the terminal. If not you may have your Tx and Rx wires reversed.If you look to the left of the Power/SATA connector on the drive you are working on you will notice a few small pins. These pins are for the diagnostics port of the drive. From right to left, the pins are Rx, Tx, Gnd. There is a fourth pin, but you need not concern yourself with it. When connecting your TTL adapter, Rx on the Drive goes with Tx on the adapter, and Tx on the drive goes with Rx on the adapter. If you use an external enclosure to supply power to the drive, you shouldn’t have to worry about the ground connection because the USB connector should take care of that. Otherwise, you will have to find a way to ground them together.

For me, it says something like:

Buzz HM SFI

!

(P)S

If you get this point, great! If not, you will need to do some more research on your own. There are quite a few tutorials about this lying around. You may have a look at https://sites.google.com/site/seagatefix/ – This will show you all the steps involved in creating a TTL adapter. The Baud rate is different from my drive, but you may need to try some different speeds to get yours working.

Basic Terminal Structure and Changing the Serial Number

So, once you have gotten the output in Putty or SeDiv, press Ctrl-Z. This should bring you to a prompt that says something like:

T>

So you know, every command that you enter in this prompt is case sensitive, so you will need to watch what you are entering. Some commands have completely different effects whether you use the upper case or lower case command. Know that if you are not paying attention you can easily brick your drive with a one letter command. Please be careful. The prompt does not recognize backspace, so if you make an error, you are kind of stuck with it. If you have a doubt about what you entered, your best option is to press Ctrl-C BEFORE hitting enter. This will restart the terminal. Sometimes this means you will probably have to re-enter everything you just did, but it’s better than overwriting something that could brick your drive. Please also know that copy and paste doesn’t work very well with the prompt. It will usually end poorly, so even though it’s a pain, I highly recommend typing every command manually.

The command prompt is separated into different levels. Each level has a different function, and different commands to go along with it. Some of the commands you can enter at a level work completely different that they would at a different level, so keep an eye on which level you are on. There is a level for the numbers 1-9, a few different letters. The letter levels I know about are C, F, and T. We will be mainly dealing with Level T. The level is shown before the > at the prompt. So the above example would be at Level T. If you want to change to Level 2 for instance, you can do so with the following command:

T>/2

(note: you only type the “/2”)

This would change the prompt to:

2>

Some Seagate hard drives can tell you a list of the commands available to you, but mine did not, at least not with the examples I found. You can try this on your drive however, by changing to Level C and using the “Q” command.

As I stated however, basically everything we need to do can be accessed from Level T. If you are not there currently, then type /T to get there and we should be back to:

T>

The first thing we are going to change is the Serial Number of the drive. This is the easiest thing to do in the console, so we are going to do this first.

At the prompt type “#”

The prompt will then ask you to enter the drive’s serial number. If you open the hddss.bin file I have supplied with a hex editor, and compare it to the site I linked to before, you can see that the serial number is “5VCF5J11”. Enter this Serial Number into the prompt and hit enter. It will then ask you for the Pack-Writer Serial Number. I just left this blank, so hit enter and go on.

It will look something like this:

T>#

Enter Drive S/N 5VCF5J11

Enter Packwriter S/N

T>

Congrats! You are a fourth of the way there. You have successfully changed the Serial Number (hopefully :D)

AT Stuff, SetStuff, and Changing the Model Number

Back at Level T, the next thing you will want to do will help you find the offset of your model number. This is called “AT Stuff”. This is accomplished by pressing Ctrl-U at the prompt. (If you read the data sheets I’ve linked documenting how to use the console this will be shown as ^U. Any command in this manual with ^ in it means Ctrl+ whatever the key was. (ie: ^Z is Ctrl-Z, etc.)

So pressing Ctrl-U at the T> prompt brings something like:

T>^U

AT Stuff

0000: 0c5a 3fff c837 0010 0000 0000 003f 0000

0008: 0000 0000 2020 2020 2020 2020 2020 2020

0010: 3556 4346 354a 3131 0000 4000 0004 332e

0018: 4141 4120 2020 5354 3932 3530 3832 3741

0020: 20ff 2020 2020 2020 2020 2020 2020 2020

0028: 2020 2020 2020 2020 2020 2020 2020 8010

0030: 3331 2f00 4000 0200 0200 4153 3fff 0010

0038: 003f 3235 0000 0010 ffff 0fff 0000 0007

0040: 0003 5320 0078 0078 0078 0000 0000 0000

0048: 0000 0000 0000 001f 0506 0000 0048 0040

0050: 01f0 0029 346b 2020 6103 0461 1000 4103

0058: 007f 0000 0000 8080 fffe 0000 fe00 0000

0060: 0000 0000 0000 0000 5970 1d1c 0000 0000

0068: 0000 0000 4000 0606 0000 0000 0000 0000

0070: 0004 0000 0000 0000 0000 0040 0f41 0000

0078: 0000 0000 0040 0000 0440 0400 0800 0180

0080: 0001 5970 1d1c 5970 1d1c 2020 0002 0ab6

0088: 8002 0000 3c06 3c06 ffff 07c6 0100 0000

0090: 100f 1800 0002 0080 0000 0000 6080 0000

0098: 0000 0000 0000 0000 0000 0000 1e00 000b

00a0: 000f 0006 0003 0000 0032 0014 0033 0024

00a8: 000f 001e 0032 0000 0013 0022 0032 0014

00b0: 0032 0000 003a 0000 0022 002d 0032 0000

00b8: 0032 0000 0022 0000 001a 0000 0012 0000

00c0: 0010 0000 003e 0000 0000 0000 0032 0000

00c8: 0000 0000 0000 0000 0000 0000 0000 0000

00d0: 0000 0000 0000 0000 0000 0000 0000 0000

00d8: 0000 0000 0000 0000 0001 0002 ffff ffff

00e0: 0000 0000 0003 0066 1770 0015 0025 1200

00e8: 0000 0000 0000 0000 0000 0000 0000 0096

00f0: 0001 0000 0000 0200 0001 0000 0000 0000

00f8: 0000 0000 0000 1556 0000 0000 0000 0000

DRIVE HAS BEEN SET-STUFFED –

This is a lot of information for us, but fortunately it is also quite useful. Make sure when you run this command, you copy what you see in the windows to a text file. We will refer to it a couple more times.

On the left before the colon is the starting offset of that line. So,

0000: 0c5a 3fff c837 0010 0000 0000 003f 0000

(0000)(0001)(0002)(0003)(0004)(0005)(0006)(0007)

starts at the beginning. This offset begins with 0000. So in this line offset “0000” is “0c5a”. Offset “0003” is “0010” These lines are only 8 offsets long, running from 0000 to 0007. The next line runs from 0008 to 000f, and so on. What we are looking for here at the moment is our drive’s Model number. An easy way of accomplishing this is copying and pasting each line, minus the offset number, into out hex editor. This will display the Plain Text of what our hex codes mean. So,

0c5a 3fff c837 0010 0000 0000 003f 0000

Translates into:

.Z?ÿÈ7…….?..

Not exactly the most helpful information in the world, but if we keep going, we find some interesting things. In particular, look for a line that has a value with “5354” this value is translates to “ST” and that is the beginning of our model number. I found mine at offset 1b. This is the line:

4141 4120 2020 5354 3932 3530 3832 3741

Which translates into:

AAA ST9250827A

Even though the rest of the model number spills onto the next line, we can clearly see that this is valuable information. We obviously need to change this, so we do that with the SetStuff command, which is F. This is also accessed through Level T. Our Target Model number is ST9250315AS, which in hex is 5354 3932 3530 3331 4153. We need to change the offsets one at a time, so the commands would be as follows.

T>F

SetStuff->ASCI1B5354

Stuff key 1b -> 53 54

So, we type F, which prompts us with SetStuff->, to which we enter ASCI1B5354. Every command we will enter with SetStuff will always begin with ASCI (Not to be confused with ASCII) immediately followed by the offset (1B), which is also immediately followed by what hex value we want to change it to (5354). If our command was correct, it will give us Stuff key 1b -> 53 54, showing that the operation was successful. If it doesn’t show Stuff Key ->, the operation was not successful, and you will have to try again. Make sure you typed it correctly.

So, we need to do this to all the offsets of our model number. According to some websites that I checked it is good to enter spaces (hex 20) after the model number for a few offsets to make sure that the model number doesn’t have any garbage characters after it. So,

SetStuff->ASCI1C3932

Stuff key 1c -> 39 32

T>F

SetStuff->ASCI1D3530

Stuff key 1d -> 35 30

T>F

SetStuff->ASCI1E3331

Stuff key 1e -> 33 31

T>F

SetStuff->ASCI1F4153

Stuff key 1f -> 41 53

T>F

SetStuff->ASCI202020

Stuff key 20 -> 20 20

T>F

SetStuff->ASCI212020

Stuff key 21 -> 20 20

T>F

SetStuff->ASCI222020

Stuff key 22 -> 20 20

T>F

SetStuff->ASCI232020

Stuff key 23 -> 20 20

T>W

When we finish overwriting the model number, we send the W command. This writes the changes to disc.

At this point, I would suggest restarting the terminal, and running ^U again. You can look at the AT Stuff log again, and check the offsets to see if your changes are intact. If they are ok here, power off the drive and disconnect the serial cable. Connect the data and power cables to the drive, and turn it back on. When Windows detects it, keep an eye on what model number shows up in the Device Manager. If it is our new model number, then you have been successful. If junk characters or anything extra appear next to the drive name, you may need to go back and use the SetStuff command to add spaces to a few more offsets.

Writing the LBA and the Firmware Revision

These last two are basically the same as writing the model number. I wasn’t really sure what I was looking for when I was trying to find the LBA offset, but I found this site: http://tinyurl.com/cxgvqva – This is also where I found out how to use SetStuff in the first place. If you know what your drive’s LBA is in hex before you start, you will have a huge advantage over me, but I did not. I noticed that since their Model Number Offset started at 1B, the same as mine, I figured the LBA offsets could quite possibly be the same, so I used SetStuff to modify offset 83 and 84. (NOTE: On this site, they put the whole string of numbers they wanted to change into one offset instead of doing them one by one like we did with the model number. I tried this, and it did not work for me. Instead, it started changing offsets that were incorrect, or it would just not do anything. I still think the best/safest way is to do them one at a time, even if it takes longer.) They also recommend changing offsets 3C and 3D to the same values; however I did not see that the first time I read it. After this, send ^T

So it will look something like this:

T>F

SetStuff->ASCI837059

Stuff key 83 -> 70 59

T>F

SetStuff->ASCI841C1D

Stuff key 84 -> 1c 1d

T>F

SetStuff->ASCI3C7059

Stuff key 3C -> 70 59

T>F

SetStuff->ASCI3D1C1D

Stuff key 3D -> 1c 1d

T>W

T>^T

I was never 100% I did the LBA correctly, but this was the best information that I found about that portion of the change.

Same goes for the Firmware Revision, and this is one part I got stuck on.

If you look in the AT Stuff dump you took earlier, you will notice that 3.AAA, or the Firmware Revision number for me anyways, was directly in front of the drive’s model number. It populated offsets 17-1A on my drive. I did the same SetStuff we have been doing to change it, but the drive reverts to its old offset when it is restarted. I will post what I did anyways so you can look, and hopefully have better luck than I did. We want to change the revision to the hex value of 3030 3032 9495 4345 3032

T>F

SetStuff->ASCI173030

Stuff key 17 -> 30 30

T>F

SetStuff->ASCI183032

Stuff key 18 -> 30 32

T>F

SetStuff->ASCI194345

Stuff key 19 -> 43 45

T>F

SetStuff->ASCI1A3032

Stuff key 1a -> 30 32

T>W

Like I said, running ^U before resetting the drive shows the changes I made in the correct place. After restarting the drive, it resets the offsets to what they were previously. I don’t know if this will happen to you as well, so try it out and see what happens. I have no way of testing anything else at the moment, so if it doesn’t work, I won’t be of much help.

Using HxD to Copy the Security Sectors

Power down the drive, and disconnect it from the serial cable and power. In HxD you will want to open two things. First, you will want to open the HDDSS.bin file you got from me. Second you will want to put the hard drive in your external enclosure and connect it to your computer. Inside of HxD, you will want to go to extras, then select open disk. In the physical disks section, select the last one (usually). It’s best to only have 2 disks total to make it easier. (Your main OS disk, and the Seagate we are working on.) Make sure read only is unchecked. Go back to the HDDSS.bin tab, and select everything. Edit copy. Go back to the disk tab. Scroll down to Sector 16. Select all of Sector 16 down to Sector 22. Edit paste insert. When you are feeling brave, File Save.

Using HDDHACKR to Create the Partitions

You will need to make a bootable USB stick or cd with a copy of MS-DOS on it. There are quite a few tutorials how to do this, so I won’t cover it here. You will need to copy HDDHACKR onto whatever bootable medium you choose.

Power down the computer you are going to connect the drive to, and hook your Seagate drive up. It is also a good idea to disconnect the other drives in the computer to prevent overwriting the wrong one. Power up the machine with the bootable medium connected. Boot into MS-DOS, and then run HDDHACKR. It will scan your system for discs. Select your Seagate drive from the list. We don’t need to worry about flashing the bin file, since it won’t work anyways. Select Create Partitions instead. It will probably say it was successful, but it won’t go back to the command prompt. Power down the computer when the partitions are created successfully.

What Happens When You Make a Mistake

This is where I got before I bricked my drive. I was trying a new command that I wasn’t too sure about, and it ended up disallowing me to enter the T> prompt. Instead, I am stuck in Level F, and I am unable to change levels. Currently, I am getting the following error when the device is powered on:

Buzz HM SFI

!

Code – 43 Track 0F82F.0.01E Sns 01E

F>

So, that is as far as I got. I had just about everything (I think, minus the Firmware Revision), and then made a mistake.

Will this guide let you use your Seagate drive in your Xbox? I can’t say for sure. I am fairly confident that if someone were able to find a way to change the firmware revision successfully, the Xbox would recognize the drive.

I do hope that the information is somewhat helpful to someone. I would love to hear back from you, and know if this has helped someone. I have no intention of quitting on this project. I hope someday soon to figure out my way past the error I am plagued with at the moment, and continue figuring out how to make this work. If anyone has any tips on what things to try, I’m all ears.

http://sediv2008.narod.ru/Easy1014.rar – Download the SeDiv Program. This serves basically the same purpose as putty or hyperterminal, but it is much more powerful when dealing with Seagate drives, as this is what it was made for.